On Fri, Dec 30, 2011 at 12:14 AM, varoun p <[email protected]> wrote: > On Fri, Dec 30, 2011 at 12:09 AM, varoun p <[email protected]> wrote: >> On Thu, Dec 29, 2011 at 10:58 PM, Philip Guenther <[email protected]> wrote: >>> On Thu, 29 Dec 2011, varoun p wrote: >>>> Currently on a VirtualBox VM hosted on a Mac OSX Lion: >>>> $ uname -prsv >>>> OpenBSD 5.0 GENERIC#43 Intel(R) Core(TM) i5-2415M CPU @ 2.30GHz >>>> ("GenuineIntel" 686-class) >>>> $ >>>> >>>> Creating a PEM encoded, self signed X.509 cert as follows: >>>> $ openssl genrsa -out iam.key 1024 >>>> $ openssl req -new -key iam.key -out iam.csr >>>> $ openssl x509 -req -in iam.csr -signkey iam.key -out iam.pem >>>> >>>> When trying to upload this cert (iam.pem) for use with Amazon Web >>>> Services, I get a malformed certificate error. >>>> The same sequence of steps when run on Darwin (Darwin 11.0.0 Darwin >>>> Kernel Version 11.0.0: Sat Jun 18 12:56:35 PDT 2011; >>>> root:xnu-1699.22.73~1/RELEASE_X86_64 i386) or FreeBSD (FreeBSD >>>> 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011 >>>> [email protected]:/usr/obj/usr/src/sys/GENERIC >>>> i386) gives me a working cert that does not error out when trying to >>>> use it with AWS. >>> >>> Since we don't all have access to Darwin and/or FreeBSD, what's the output >>> of: >>> openssl x509 -noout -text -in iam.pem >>> >>> for the unaccepted and accepted certs? >>> >>> >>> Philip Guenther >> >> I created two certs, fbsd-iam.pem was created on a FreeBSD 8.2 host >> and obsd-iam.pem was created on an OpenBSD 5.0 host. Both certs were >> created using the same sequence of three commands listed earlier. The >> cert fbsd-iam.pem was accepted while obsd-iam.pem was rejected with an >> error that said 'Malformed certificate'. >> >> The requested output : >> >> sa-mac-varoun:cert-test varoun$ ls >> fbsd-iam.pem obsd-iam.pem >> sa-mac-varoun:cert-test varoun$ openssl x509 -noout -text -in fbsd-iam.pem >> Certificate: >> Data: >> Version: 1 (0x0) >> Serial Number: >> eb:dc:97:63:8c:b1:ae:cc >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=IN, ST=Karnataka, L=Bangalore, O=Directi, >> OU=talk.to, CN=Varoun P/[email protected] >> Validity >> Not Before: Dec 29 18:20:19 2011 GMT >> Not After : Jan 28 18:20:19 2012 GMT >> Subject: C=IN, ST=Karnataka, L=Bangalore, O=Directi, >> OU=talk.to, CN=Varoun P/[email protected] >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (1024 bit) >> Modulus: >> 00:bf:80:94:d4:b7:c4:42:d8:f3:ad:c0:1c:b7:f1: >> 33:0f:f7:64:1b:22:68:70:14:0c:61:88:3d:20:47: >> c6:10:97:c0:96:ce:ed:c9:96:41:f2:34:16:dd:15: >> fb:ca:b2:ca:65:6f:50:68:f0:7b:34:30:ae:11:b9: >> 43:33:99:f3:d4:d2:03:12:06:8c:85:6b:e9:97:fe: >> 38:b6:e6:8a:39:c0:b6:33:92:3b:0c:ac:43:72:f2: >> a2:bc:ba:d4:71:42:2c:da:40:28:1d:28:8f:a9:f2: >> 54:db:f1:e3:2a:5e:f1:e4:2e:71:24:54:51:86:d6: >> 3c:e6:9b:ec:a9:40:6b:67:25 >> Exponent: 65537 (0x10001) >> Signature Algorithm: sha1WithRSAEncryption >> 54:0f:14:46:56:c3:f0:b7:85:aa:66:1c:3d:5e:b7:a1:b5:c0: >> 3a:98:14:74:ef:6a:54:ad:d5:4b:c6:db:b6:2e:c8:a5:aa:1f: >> 9d:db:33:c8:dd:46:81:9b:9d:73:b9:81:71:ac:0c:c6:d9:14: >> 52:61:b7:6a:e0:62:87:72:98:26:a6:a0:15:3f:bc:4e:02:81: >> 97:3a:86:6f:3c:a2:6f:9e:d8:9b:17:27:ef:af:e2:27:5a:18: >> f0:a4:32:35:70:1c:23:16:34:e6:e1:48:09:e8:33:08:de:f2: >> f5:57:25:a9:cf:1f:19:e5:4b:5d:57:6f:38:a7:76:98:53:46: >> 3d:cc >> sa-mac-varoun:cert-test varoun$ openssl x509 -noout -text -in obsd-iam.pem >> Certificate: >> Data: >> Version: 1 (0x0) >> Serial Number: >> d9:da:50:80:12:fb:05:2e >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=IN, ST=Karnataka, L=Bangalore, O=Directi, >> OU=talk.to, CN=talk.to/[email protected] >> Validity >> Not Before: Dec 29 23:55:50 2011 GMT >> Not After : Jan 28 23:55:50 2012 GMT >> Subject: C=IN, ST=Karnataka, L=Bangalore, O=Directi, >> OU=talk.to, CN=talk.to/[email protected] >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (1024 bit) >> Modulus: >> 00:ea:28:24:b2:19:96:fd:27:ac:3d:5c:b1:41:cd: >> 68:0b:3d:17:40:b8:28:75:14:64:40:55:54:cc:dd: >> 52:31:7a:c2:e1:65:9b:21:fc:32:7c:74:94:57:90: >> b2:b8:e5:dd:f6:b7:b0:d6:87:b6:60:91:22:e7:bb: >> 57:ce:10:0b:c8:f5:9b:d8:94:0b:bb:d9:df:f1:4c: >> 6b:5a:10:b1:79:00:7e:9c:11:66:bf:7c:3b:2b:5f: >> f9:f5:20:22:30:6e:f1:23:4a:a2:d3:16:38:80:d6: >> d6:a6:e5:15:7b:bb:22:38:00:0b:9f:ef:c7:98:55: >> 0b:c8:59:ab:60:0d:16:34:15 >> Exponent: 65537 (0x10001) >> Signature Algorithm: sha1WithRSAEncryption >> 30:b5:f6:4c:cd:f3:67:e1:ec:31:8b:e2:72:ef:54:09:f8:52: >> 4b:55:0b:30:1d:58:ba:db:a7:3b:cb:52:cd:d4:95:d2:2f:ca: >> e5:45:33:e9:55:2e:d6:c6:2b:91:ca:ea:53:47:bf:ca:6d:45: >> cf:c8:94:1d:1c:02:3e:2c:ce:79:c3:82:2d:bb:a5:08:a7:f3: >> 79:34:ef:13:42:13:f8:3e:78:a8:38:72:75:4d:83:9e:a5:8b: >> d2:5b:f3:99:4e:3f:72:25:c7:df:85:1b:12:9f:98:9b:6c:72: >> 94:fd:cb:10:3a:ec:52:d6:bb:27:37:14:15:13:d3:ce:ab:07: >> f4:7c >> sa-mac-varoun:cert-test varoun$ >> >> >> I've also attached both certs to this email. >> >> -- varoun > > I just noticed that the clock on the OpenBSD host was off by a few hours: > > On FreeBSD: >> date > Fri Dec 30 00:12:54 IST 2011 >> > > On OpenBSD: > $ date > Fri Dec 30 05:42:55 IST 2011 > $ > > This may have been the problem, I'll investigate further. > > -- varoun
I've confirmed that the inaccurate clock was to blame for this. After running ntpd on the OpenBSD host, and creating a new cert, it was accepted by AWS. Apologies for not checking this earlier. best, -- varoun
